On 04.07.2012 09:00, Abhishek Chanda wrote:
> Hi all,
>
> I am trying to configure Squid as a caching server.
Squid version?
> I have a LAN where
> The webserver (apache) is at 192.168.122.11 squid is at
> 192.168.122.21
> and my client is at 192.168.122.22. The problem is, when I look at
> Squid's access log, all I see are TCP_MISS messages. It seems Squid
> is
> not caching at all. I checked that the cache directory has all proper
> permissions. What else can go wrong here?
* Your web server may be informing squid no response is cacheable.
* Your web server may not be supplying cache-control expiry information
correctly. So Squid can't store it.
* Your clients may be informing Squid the content they need is outdated
and needs updating.
* You may be looking at log URLs which have hidden/truncated query
strings and are actually no repeat requests in your traffic.
> Here is my squid config:
>
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32 ::1
> acl to_localhost dst 127.0.0.1/8 0.0.0.0/32 ::1
> acl SSL_ports port 443
> acl Safe_ports port 80
> acl Safe_ports port 21
> acl Safe_ports port 443
> acl Safe_ports port 70
> acl Safe_ports port 210
> acl Safe_ports port 1025-65535
> acl Safe_ports port 280
> acl Safe_ports port 488
> acl Safe_ports port 591
> acl Safe_ports port 777
> acl CONNECT method CONNECT
> http_access allow all
"allow all" at the top of the security rules.
Run this command:
squidclient -p 3128 -h <your-squid-IP> -j google.com /
You should NOT be able to retrieve content for anyone elses website
through a properly configured reverse-proxy.
Please notice the http_access and cache_peer_access rules in
http://wiki.squid-cache.org/ConfigExamples/Reverse/VirtualHosting
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost
> http_access deny all
> http_port 3128 accel defaultsite=cona-proxy vhost
HTTP uses port 80, not port 3128.
This is wrong unless all your public website URLs look like:
http://example.com:3128/something
It is a bad idea to test using a setup different than your intended
production configuration. The handling of ports and IPs changes
radically between the traffic modes.
... in this setup squid will default to passing
"http://cona-proxy:3128/" as the URL details to your origin servers,
with the "cona-proxy" replaced by whatever is in the Host: header *if*
one is provided.
> cache_peer 192.168.122.11 parent 80 0 no-query originserver login=PAS
"PAS" --> "PASS"
> name=webserver
> cache_dir ufs /var/spool/squid3 100 16 256
100MB cache.
> coredump_dir /var/spool/squid3
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
> refresh_pattern . 0 20% 4320
> always_direct allow all
There is one problem.
"always_direct allow all" --> AKA, "do not use any cache_peer
settings. Ever."
> acl server_users dstdomain cona-proxy
> http_access allow server_users
> cache_peer_access webserver allow server_users
> cache_peer_access webserver deny all
>
> In all machines, cona-proxy points to 192.168.122.21 (added that in
> /etc/hosts)
Bad. defaultsite=FQDN is a value which can appear on public URLs. If
you need to specify it in your hosts file
> Output of curl -v 192.168.122.11 from 192.168.122.22
>
> * About to connect() to 192.168.122.11 (#0)
> * Trying 192.168.122.11... connected
Notice how this is going directly to .11 machine. The proxy is never
contacted.
>> GET / HTTP/1.1
>> User-Agent: curl/7.22.0 (i686-pc-linux-gnu) libculr/7.22.0
>> OpneSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
>> Host: 192.168.122.11
>> Accept: */*
>>
> < HTTP/1.1 202 OK
> < Date Mon, 02 Jul 2012 05:48:50 GMT
> < Server: Apache/2.2.22 (Ubuntu)
> < Last-Modified: Tue, 19 Jun 2012 23:04:25 GMT
> < ETag: "27389-b1-4c2db4dc2c182"
> < Accept_Ranges: bytes
> < Content-Length: 177
> < Vary: Accept-Encoding
> < Content-Type: text/html
> < X-Pad: avoid browser bug
> <
This response includes some variant handling and heuristic age
calculation features.
I suggest using the tool at redbot.org on your URLs to find out why
they are MISS. It will scan for a large number of cases and report the
reasons for any caching issues or times.
Amos
Received on Tue Jul 03 2012 - 23:52:36 MDT
This archive was generated by hypermail 2.2.0 : Wed Jul 04 2012 - 12:00:02 MDT